What the hackers want your account for
After two more guildmates got hacked last week, I decided to check and change my account security. I’ve used an authenticator since shortly after they were released, which I think is 90% of the protection that can be applied.
The other 10% is a combination of obvious email addresses, spyware, and repeated passwords for different purposes.
If for whatever reason you don’t have an authenticator then please get one. I really believe that if the hackers find an account with an authenticator then they’ll think about an easier target. Even if there are only 5% of players who don’t have them (only blizzard knows I guess), then that is still 550,000 of 11 million accounts. Would you rather be in the group that are easy targets, or the group that are significantly harder to hack?
Like most folks ReadID and the BattleNet integration was not around when I picked which email address to use, and my Warcraft account name was not too crazy, but still in the bounds of something I could remember. When we all changed to using our email addresses to login I kept with the default one I’d used for sign-up.
This is a bad idea, and needed to be changed.
Step One – Change the email address
This was an easy switch, just had to create a new email account specifically for WoW, and then login to Battle Net and change to that email address. I chose an account that allows you to auto-forward to other addresses, and also will remain secret, so my defacto-wow account is a placeholder which directs to my normal account.
This new account also allows the email address not to be listed, spammed, or otherwise bothered by the internet using some clever filtering – which means messages to that address are either legit from Blizzard Activision, or a spammer guessing addresses. All the advantages of the email systems, with no way in hell the account username and password will guessed, as it really has nothing to do with me.
Step Two – Make all the passwords strong
I took a pragmatic approach. Not so complex that it hurts my brain to recall them, but certainly not so easy as to be names of my street, cat, or my partner’s name.
All the passwords in use are now longer than 8 characters, have a combination of uppercase, lowercase, numbers and special characters. They are as secure as I think is reasonable for a game password. For a good overview read the Wikipedia page on password strength. http://en.wikipedia.org/wiki/Password_strength
I do think it is odd that WoW will let a password work ignoring upper and lower case sensitivity (or did last time I tried). Seems a poor application of security practice.
Step Three – Scan the PC
This really should have been step one, but I did a full scan about 1 week ago, so not overly worried about having a Trojan or keylogger. Antivirus and scanning is good for peace of mind.
Step Four – Double Check it Works
I then closed everything, logged out of Windows, logged back in, and connected to the game. It did all the steps properly, including asking for the authenticator code, so appears to be stable.
Closing thoughts soapbox
I’ll be interested to see if this has any affect on the RealID system, but I’ve read somewhere that once you are linked to people, they don’t need the email address anymore, as the link is present. Odd isn’t it.
You need to give away personal login to “friends” but a handle or nickname would not have been better? I question the setup of this system, and think everything should be created around a unique handle created specifically for BattleNet – which is then linked to an email account. That way all our game activity, forum activity, and other messaging could be on the handle not the email or real name.
Happy and secure killing.
TyphoonAndrew's - Eye of the Storm 
Pingback: WoW Account Security